Closed Bug 1623472 Opened 5 years ago Closed 4 years ago

Trustis: Gap between audit periods

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: blake.morgan)

Details

(Whiteboard: [ca-compliance] [audit-failure])

Audit statement from last year:
https://bug1360184.bmoattachments.org/attachment.cgi?id=9047305
"Verification Audit Period 17 February 2018 to 15 January 2019"

Original audit statement provided for this year:
https://bug1360184.bmoattachments.org/attachment.cgi?id=9129489
"Verification Audit Period 17 February 2019 - 16 February 2020"

Gap in audit coverage between 15 January 2019 and 17 February 2019.

The CA and auditor provided a new audit statement for this year:
https://bug1360184.bmoattachments.org/attachment.cgi?id=9134123
"Verification Audit Period 17 February 2019 - 15 January 2020"

Gap in audit coverage between 15 January 2019 and 17 February 2019 remains.

If it had been fixed correctly in the updated audit statement, then I would have assumed it was a typo or copy-paste error. But now I am concerned that this CA and their auditor are not understanding audit periods and the importance of not having gaps between audit periods.

I think that this warrants having the CA provide an Incident Report to explain what is going on and how it is going to be resolved and not repeated.

If the auditor does issue another another audit statement that changes the audit period start date to 16 January 2019, how am I supposed to have confidence that the auditor actually did something to be able to provide an attestation that now covers the previously unaccounted for time?

As an interim response pending a more comprehensive response from our auditors, we recognise the concerns regarding the perceived gap in audit dates but be assurred that there is full audit coverage over the periods concerned. We also recognise this has not been articulated well in the audit statements submitted by the auditors. I have raised this as an issue with the auditors and I await their formal response.

I should point that this CA is being retired and that no certificates have been issued since January 2018. There is no change to our level of commitment to compliance with the requirements.

A full incident report will be provided once a response is received from the auditors.

(In reply to Blake Morgan from comment #1)

I should point that this CA is being retired and that no certificates have been issued since January 2018. There is no change to our level of commitment to compliance with the requirements.

Please help me understand your response in the January 2020 CA Communication:
"End-entity certificate issuance under the current service has been discontinued therefore no new certificates will be issued after 1st July, 2020. Please Note: No certificate has been issued since 2nd January 2018 and no further Certificates will be issued until the service is terminated following the expiration of the last certificate (2nd January 2021)."

I filed Bug #1634584 to set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA, and am confused about which date to use for the server-distrust-after date. Should it be July 1, 2020? Or should it be January 2, 2018?

Flags: needinfo?(blake.morgan)

Incident Report - Perceived Audit Gap

It is understood that there is a perceived gap in the audit coverage for this CA due to the numerous incorrect Audit Statements supplied. Entrust and the audit body can assure CAB Forum that there was a full audit coverage of this period, however quality issues in supplying a compliant Audit Statement caused confusion. It is recognised that this issue was not remedied in a satisfactory manner and an investigation was conducted.

  1.        How the CA became aware of the problem

This was highlighted during the Audit Case Review and flagged with Entrust.

  1.        Timeline of actions the CA took in response

A review of the audit statement was conducted with the Audit body over a number of weeks. This was not conducted as expediciously as desired due to the demands and related priorities associated with Business Continuity during the Covid-19 crisis.

  1.       Whether CA has stopped etc

Not Applicable

  1.       Summary of problematic certificates

Not Applicable

  1.       Complete certificate date for problematic certificates

Not applicable

  1.       Explanation about how and why the mistakes were made

The specific issue which led to the perceived gap in the audit coverage was the insertion of incorrect dates into the supplied Audit Statements. This was due to the statement being generated as part of an audit document pack that included accredited ISO27001:2013 certificate, tScheme PKI report and ETSI audit statement with 3 different quality control processes being applied with the result that inadvertently errors occurred.

Given that these dates weren’t corrected when a subsequent audit statement was produced, we completely understand how this could undermine the confidence in the audit period and lead to the belief that a period of time hadn’t been accounted for. In reality, there never was a discrepancy in the audit period; the discrepancy was created in the audit statement. The underlying detailed audit reports are correctly dated. Unfortunately however, administrative errors were made when transferring these dates to the audit statement report, and hence the resulting confusion over the real dates and audit period.

  1.        List of steps the CA is taking to resolve the situation

In future the audit periods in question will be clearly defined in advance of the actual audit so that there can be no confusion as to the contents of the audit statement and its subsequent accuracy. Further, a more rigorous review process will be undertaken by Entrust to ensure the information contained in the audit statements is accurate before being released to Mozilla.

IMPORTANT NOTE: This CA is no longer issuing certificates with the last one being issued in January 2018. Certificate status and revocation mechanisms are being maintained and controls are in place to prevent, detect and alert to the issuance of any new certificates.

Flags: needinfo?(blake.morgan)

Updated audit statement:
https://bug1360184.bmoattachments.org/attachment.cgi?id=9146189

Notes:

While the auditor's mistakes in the audit statements are disappointing, I think this particular bug may be closed as resolved fixed.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] Audit Gap → [ca-compliance] [audit-failure]
You need to log in before you can comment on or make changes to this bug.